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Abstract. Building on the work by Fainekos and Pappas and the one by Donze 
and Maler, we introduce AvSTL, an extension of metric interval temporal logic 
by averaged temporal operators. Its expressivity in capturing both space and time 
robustness helps solving falsification problems (searching for a critical path in 
hybrid system models); it does so by communicating a designer’s intention more 
faithfully to the stochastic optimization engine employed in a falsification solver. 
We also introduce a sliding window-like algorithm that keeps the cost of comput¬ 
ing truth/robustness values tractable. 


1 Introduction 

Model-Based Development of Hybrid Systems The demand for quality assurance of 
cyber-physical systems (CPS) is ever-rising, now that computer-controlled artifacts— 
cars, aircrafts, and so on—serve diverse safety-critical tasks everywhere in our daily 
lives. In the industry practice of CPS design, deployment of model-based development 
(MBD) has become a norm. In MBD, (physical and costly) testing workbenches are re¬ 
placed by (virtual and cheap) mathematical models ; and this reduces by a great deal the 
cost of running a development cycle —design, implementation, evaluation, and redesign. 

One of the distinctive features of CPS is that they are hybrid systems and combine 
discrete and continuous dynamics. For MBD of such systems the software Simulink has 
emerged as an industry standard. In Simulink a designer models a system using block 
diagrams—a formalism strongly influenced by control theory —and runs simulation , 
that is, numerical solution of the system’s dynamics. 

Falsification The models of most real-world hybrid systems are believed to be beyond 
the reach of formal verification. While this is certainly the case with systems as big as a 
whole car, a single component of it (like automatic transmission or an engine controller) 
overwhelms the scalability of the state-of-art formal verification techniques, too. 

What is worse, hybrid system models tend to have black-box components. An ex¬ 
ample is fuel combustion in an engine. Such chemical reactions are not easy to model 
with ODEs, and are therefore commonly represented in a Simulink model by a look-up 
table —a big table of values obtained by physical measurements (l7]^8). The lack of 
structure in a look-up table poses a challenge to formal verification: each entry of the 
table calls for separate treatment; and this easily leads to state-space explosion. 

Under such circumstances, falsification by stochastic optimization has proved to be 
a viable approach to quality assurance mm . The problem is formulated as follows: 
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The falsification problem 

Given: a model M (a function from an input signal 
to an output signal), and 
a specification p (a temporal formula), 

Answer: a critical path , that is, an input signal cr- in such 
that the output M(a i n ) does not satisfy p 

Unlike testing or monitoring —where input cr[ n is given and we check if M (ai n ) |= p — 
a falsification solver employs stochastic optimization techniques (like the Monte-Carlo 
ones) and iteratively searches for a falsifying input signal a[ n . 

Falsification is a versatile tool in MBD of hybrid systems. It is capable of searching 
for counterexamples, hence revealing potential faults in the design. One can also take, as 
a specification p, the negation of a desirable property then successful falsification 

amounts to synthesis of an input signal that satisfies Stochastic optimization used in 
falsification typically does not rely on the internal structure of models, therefore the 
methodology is suited for models with black-box components. Falsification is fairly 
scalable, making it a realistic option in the industrial MBD scenarios; see e.g. | [T7|[T8| . 

The current work aims at enhancing falsification solvers, notable among which are 
S-TaLiRo (6j| and BREACH m An obvious way to do so is via improvement of 
stochastic optimization; see e.g. |23|[25| . Here we take a different, logical approach. 

Robustness in Metric Temporal Logics Let us turn to a formalism in which a specifi¬ 
cation p is expressed. Metric interval temporal logic (MITL) [5j, and its adaptation 
signal temporal logic (STL) (22), are standard temporal logics for (continuous-time) 
signals. However their conventional semantics—where satisfaction is Boolean—is not 
suited for falsification by stochastic optimization. This is because a formula p, no mat¬ 
ter if it is robustly satisfied and barely satisfied, yields the same truth value (“true”), 
making it not amenable to hill climb-style optimization. 

It is the introduction of robust semantics of MITL U51 that set off the idea of falsi¬ 
fication by optimization. In robust semantics, a signal cr and a formula p are assigned a 
continuous truth value [<r, p\ G M that designates how robustly the formula is satisfied. 
Such “robustness values” constitute a sound basis for stochastic optimization. 

The original robust semantics in G3 is concerned 
with space robustness: for example, the truth values of 
O[ 0? io] (v > 80) (“the velocity reaches 80 km/h within 10 
sec.”) are 20 and 0, for the green and red signals on the 
right. Therefore space robustness is a “vertical margin” be¬ 
tween a signal and a specification. An efficient algorithm is 
proposed in ED for computing this notion of robustness. 

The notion of robustness is extended in ED to take 
time robustness also into account. Consider the same spec¬ 
ification O[ 0 ,io] (v > 80) against the green and red signals 
on the right. The green one is more robust since it reaches 80 km/h much earlier than 
the deadline (10 sec.), while the red one barely makes the deadline. 

The current work continues this line of work, with the slogan that expressivity of 
temporal logic should help falsification. With more expressivity, a designer’s concerns 
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that were previously ignored (much like time robustness was ignored in & come to 
be reflected in the continuous truth value. The latter will in turn help stochastic opti¬ 
mization by giving additional “hints.” We however are in a trade-off situation: the more 
expressive a logic is, the more expensive computation of truth values is in general. 

Contributions We aim at: a good balance in the last trade-off between expressivity and 
computational cost; and thereby enhancing falsification solvers by giving more “hints” 
to stochastic optimization procedures. Our technical contributions are threefold. 

The logic AvSTL. We introduce averaged STL (AvSTL); it is an extension of 
STL [22] by so-called averaged temporal operators like Ui and Oj. The (continuous) 
truth values of the new operators are defined by the average of truth values in a suitable 
interval. We show that this simple extension of STL successfully combines space and 
time robustness in (HEU ; and that its expressivity covers many common specifications 
(expeditiousness, persistence, deadline, etc.) encountered in the context of CPS. 

An algorithm for computing AvSTL robustness. It is natural to expect that non¬ 
local temporal operators—like Ui,Oj and their averaged variants—incur a big perfor¬ 
mance penalty in computing truth values. For STL (without averaged modalities) an 
efficient algorithm is proposed in GD; it employs the idea of the sliding window min¬ 
imum algorithm m and achieves complexity that is linear with respect to the size of 
an input signal (measured by the number of timestamps). 

We show that, under mild and realistic assumptions, the same idea as in GD can be 
successfully employed to compute AvSTL truth values with linear complexity. 

Enhancing S-TaLiRo: implementation and experiments. We use S-TaLiRo and 
demonstrate that our logic AvSTL indeed achieves a reasonable balance between ex¬ 
pressivity and computational cost. We present our prototype implementation: it takes 
S-TaLiRo and lets the above algorithm (called the AvSTL evaluator) replace TaLiRo, 
S-TaLiRo’s original engine for computing STL truth values (see Fig. 0 in ©• 

For its evaluation, we pick some benchmark models M and STL specifications p — 
they are mostly automotive examples from GD —and compare performance between: 

- our prototype, run for M and the original STL specification (^and 

- our prototype, run for Ad and a refinement of p given as an AvSTL formula. 

For benchmarks of a certain class we observe substantial performance improvement: 
sometimes the latter is several times faster; and in some benchmarks we even see the 
latter succeed in falsification while the former fails to do so. 

Related Work Besides those which are discussed in the above and the below, a closely 
related work is |2 ] (its abstract appeared in j3)). There a notion of conformance between 
two models Adi, Ad 2 is defined; and it is much like (an arity-2 variation of) combination 
of space and time robustness. Its use in falsification and comparison with the current 
approach is future work. 

3 This is the control case of our experiments. We do not use S-TaLiRo itself, because we would 
like to disregard the potential disadvantage caused by the communication between the AvSTL 
evaluator (the additional component) and S-TaLiRo. We note that the AvSTL evaluator is 
capable of evaluating STL formulas, too. 
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Organization of the Paper In Qwe introduce the logic AvSTL: its syntax, semantics, 
some basic properties and examples of temporal specifications expressible in it. In ^3j 
building on GD , an algorithm for computing AvSTL truth values is introduced and its 
complexity is studied. The algorithm is implemented and used to enhance a falsification 
solver S-TaLiRo, in Q where experiment results are presented and discussed. 

We used colors in some figures for clarity. Consult the electronic edition in case the 
colors are unavailable. Most of the proofs are deferred to the appendix. 

Acknowledgments Thanks are due to Georgios Fainekos, Tomoyuki Kaga, Toshiki 
Kataoka, Hisashi Miyashita, Kohei Suenaga and Tomoya Yamaguchi for helpful dis¬ 
cussions. The authors are supported by Grant-in-Aid for Young Scientists (A) No. 
24680001, JSPS; and T.A. is supported by Grant-in-Aid for JSPS Fellows. 


2 Averaged Signal Temporal Logic AvSTL 

We introduce averaged STL (AvSTL). It is essentially an extension of MITL [5] and 
STL (22| with so-called averaged temporal operators. We describe its syntax and its 
semantics (that is inspired by robust semantics in 00)- We also exemplify the ex¬ 
pressivity of the logic, by encoding common temporal specifications like expeditious¬ 
ness, persistence and deadline. Finally we will discuss the relationship to the previous 
robustness notions (l2j[T5| for STL. 

2.1 Syntax 

We let = stand for the syntactic equality. We let R denote the set of real numbers, with 
R>o and R<o denoting its obvious subsets. We also fix the set Var of variables, each 
of which stands for a physical quantity (velocity, temperature, etc.). 

Definition 2.1 (syntax) In AvSTL, the set AP of atomic propositions and the set Fml 
of formulas are defined as follows. 

AP 3 l x<r\x<r\x>r\x>r where x E Var, r E R 
Fml 3 p T | _L | / | —*p \ p\l p \ p /\p \ plAi p \ plii p \ p IZi p \ p IZi p 

Here I is a closed non-singular interval in R>o, he. I = [a, b] or [a, oc) where a < b. 
The overlined operator Ui is called the averaged-until operator. 

We introduce the following connectives as abbreviations, as usual: p\ p 2 = 
(-u^i) V p 2 , Oip = T Ui p, Hip = A 7 Zi p, Oip = T Ui p and Hip = _L IZj p. 
We omit subscripts I for temporal operators if / = [0, oo). The operators 7 Zi, <>/ 
and □/ are called the averaged-release , averaged-eventually and averaged-henceforth 
operators, respectively. We say a formula p is averaging-free if it does not contain any 
averaged temporal operator. 


2.2 Robust Semantics 

AvSTL formulas, much like STL formulas in [ T2p5) , are interpreted over (real-valued, 
continuous-time) signals. The latter stand for trajectories of hybrid systems. 





5 
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[<A -L] = -oo 

[cr, x < r\~ = On (r — cr(0)(p)) 

[cr, x < r] _ = 0 n (r — cr(0)(x)) 

[cr, x > r] _ = 0 n (cr(0)(a;) — r) 

[cr, x > r] _ = 0 n (cr(0)(:c) — r) 

[cr, -.^jp = -[cr, ip] + 
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<£i Kin[o, T ] ^ 2 ] dr 


Table 1. Definition of positive and negative robustness 


t'e[o,t)[F', ¥>ij_) 

Vil ) 

(/ is bounded) 

(/ is unbounded) 

(/ is bounded) 

(.I is unbounded) 


Definition 2.2 (signal) A signal over Var is a function cr: M>o —» (M Var ); it is there¬ 
fore a bunch of physical quantities indexed by a continuous notion of time. 

For a signal a and t E M>o, cr 1 denotes the t-shift of cr, that is, cr t (t / ) = cr(£ + t'). 

The interpretation of a formula p over a signal a is 
given by two different “truth values,” namely positive 
and negative robustness. They are denoted by [cr, p\ + 
and [cr, </?] - , respectively. 

We will always have [cr, (^] + > 0 and [cr, (p]~ < 0. 

We will also see that, for averaging-free p, it is never the case that [cr, p\ + > 0 and 
[cr, (/?] _ < 0 hold at the same time. See the figure on the right for an example, where a 
sine-like (black) curve is a signal cr. The blue and red curves stand for the positive and 
negative robustness, of the formula x > 0 over the (t-shifted) signal cr t , respectively. 



Time t 


Definition 2.3 (positive/negative robustness) Let a : M>o —» M Var be a signal and ip 
be an AvSTL formula. We define the positive robustness [cr, p\ + e M> 0 U { 00 } and the 
negative robustness [cr, p\ ~ e M<o U {— 00 } by mutual induction, as shown in Table[l] 
Here n and U denote infimums and supremums of real numbers, respectively. 


The definition in Table[l]is much like the one for STL [11,12 ] ^except for the averaged 
modalities on which a detailed account follows shortly. Conjunctions and disjunctions 
are interpreted by infimums and supremums, in a straightforward manner. 


4 There is no distinction between strict inequalities (<) and non-strict ones (<). This is in¬ 
evitable in the current robustness framework. This is also the case with STL in |TT[[T 2 | . 
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Fig. [I] illustrates the semantics of averaged-temporal operators—the novelty of our 
logic AvSTL. Specifically, the black line designates a signal cr whose only variable is 
x\ and we consider the “averaged-eventually” formula O[ 0 ,i] (x > 0). For this formula, 
the definition in Table [T] specializes to: 

F, <> [0 , 1 ]Or > 0)] + \a, ^[ 0 , 1 ](X > 0)F 

= f ( U 0U <t(t')( x )) dT . and = f ( U 0n ct(t , )(x)') dr . 

J ° r'€[0,r] • /(1 ‘ ’ 

These values obviously coincide with the sizes 
of the blue and red areas in Fig. [I] respectively. 

Through this “area” illustration of the averaged- 
eventually operator we see that: the sooner ip is 
true, the more (positively) robust Ojip is. It is also 
clear from Fig.[l]that our semantics captures space 
robustness too: the bigger a vertical margin is, the Fig. 1. The positive and negative ro- 
bigger an area is. bustness of O [0 ,i] (x > 0) at t = 0. 


T' E [U,TJ 



Remark 2.4 Presence of averaged temporal operators forces separation of two robust¬ 
ness measures (positive and negative). Assume otherwise, i.e. that we have one robust¬ 
ness measure that can take both positive and negative values; then robustness that floats 
between positive and negative values over time can “cancel out” after an average is 
taken. This leads to the failure of soundness (see Prop. Z9 and [QOl also [12,15]), and 
then a positive robustness value no longer witnesses the Boolean truth of (the qualitative 
variant of) the formula. This is not convenient in the application to falsification. 


2.3 Basic Properties of AvSTL 


Lemma 2.5 (temporal monotonicity) Let 0 < to < t <t'. The following hold. 

[<T, if! U[ t0 ,t] < [cr, ipi U[t 0 ,t'] ^2j + [<7, <fil U[t 0 ,t] Tl U[t 0 ,t'] 

[fJ, ip! Tl[t 0 ,t] > [cr, n [tQjt/ ] p 2 j + [cr, (fi Tl[t 0 ,t] ^1“ > 1<T, Pi 7 ^[t 0 ,t'] ^1“ 

The inequalities hold also for the averaged temporal operators. □ 


We can now see well-definedness of Def. [23] we need that the integrals are defined; and 
the lemma shows that the integrated functions are monotone, hence Riemann integrable. 

In Def. |2.3[ the definitions for averaged operators with an infinite endpoint (like 
IA [o,oo) T) are given in terms of non-averaged operators. This is so that their well- 
definedness is immediate; the following lemma justifies those definitions. 


Lemma 2.6 For any t 0 € R>o, F, <pi Z4 0)OO ) F2\ + = lim [cr, <p ± U [t t] ^ 2 \ + ■ The 
same is true if we replace [_] + with [_]“, and if we replace U with 1Z. □ 
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Fig. 2. Expeditiousness Fig. 3. Deadline Fig. 4. Persistence 


2.4 Common Temporal Specifications Expressed in AvSTL 

Here we shall exemplify the expressivity of AvSTL, by encoding typical temporal spec¬ 
ifications encountered in the model-based development of cyber-physical systems. 

Remark 2.7 In what follows we sometimes use propositional variables such as airbag 
and gear^. For example, gear 2 is a shorthand for the atomic formula x gea r 2 > 0 in 
AvSTL, where the variable x gea r 2 is assumed to take a discrete value (1 or —1). 

Expeditiousness (Oip) Consider the following informal specification: after heavy 
braking, the airbag must operate within 10 ms. Its formalization in STL is straightfor¬ 
ward by the formula □(heavyBraking —>► O[ 0) io]airbag). However, an airbag that 
operates after 1 ms. is naturally more desirable than one that operates after 9.99 ms. 
The STL formula fails to discriminate between these two airbags. 

Such expeditiousness (“as soon as possible”) requirements are more adequately 
modeled in AvSTL, using the averaged-eventually modality Oj. See Fig. [5] where the 
horizontal axis is for time t. The vertical axis in the figure stands for the positive robust¬ 
ness value [at, O[ 0? io] airbag] + of the formula O[ 0j i 0 ] airbag, where <j t is a signal in 
which airbag operates (i.e. x airbag becomes from —1 to 1) at time t. We see that the 
formula successfully distinguishes an early-bird airbag from a lazy one. 

Therefore the AvSTL formula □ (heavyBraking —>• O[ 0j io]airbag) formalizes a 
(refined) informal specification that: after heavy braking, the airbag must operate within 
10 ms; but the sooner the better. It is not hard to expect that the latter is more faithful 
to the designer’s intention than the original informal specification. 

Deadline (O[ 0 ,t] p V p) The expeditiousness-type requirement that we have 

discussed is sometimes too strict. Let us consider the following scenario: there is a 
deadline set at time T and arrival by then is rewarded no matter how late; and then there 
is a deadline extension by time S and arrival between the deadline and the extended one 
is rewarded too, but with certain deduction. 

Such a deadline specification is expressed in AvSTL by the formula 0 [o 5 t]^ V 
0[t,t+< 5] (/2, combining non-averaged and averaged eventually modalities. See Fig. [3j 
where the positive robustness of the formula (O[ 0j 5 ]airbag) V (0[ 5 5+5 ]airbag) is 
plotted, for the same signals a t as before (i.e. in a t the airbag operates at time t). 

Persistence (\Z\[ 0 ^ T ]P A □ [t,t+<5]<£ > ) Persistence (“for as long as possible”) specifica¬ 
tions are dual to deadline ones and expressed by a formula □[ 0 ; t] ( ^ A □ An 






example is the following informal specification on automatic transmission: when a gear 
shifts into first, it never shifts into any other gear for the coming 50 ms. A likely inten¬ 
tion behind it is to prevent mechanical wear of gears that is caused by frequent gear 
shifts. In this case the following specification would be more faithful to the intention: 
when a gear shifts into first, it never shifts into any other gear for the coming 50 ms., 
and preferably for longer. This is formalized by the formula □ (shift IntoGeari -A 
po,50]g ear i A p50,50+£|g ear i)- 

For illustration, Fig.Hplots the positive robustness of □[ 0? 5 0 ]geari A □ [ 5 o, 60 ]g ear i 
for signals a ' t , where geari is true in a' t from time 0 to t, and is false afterwards. 

Other Temporal Specifications Expressivity of AvSTL goes beyond the three ex¬ 
amples that we have seen—especially after the extension of the language with time- 
reversed averaged temporal operators. The reversal of time here corresponds to the 
symmetry between left and right time robustness in |T2) . Such an extension of AvSTL 
enables us to express specifications like punctuality (“no sooner, no later”) and period¬ 
icity. The details will be reported in another venue. 


2.5 Soundness of Refinements from STL to AvSTL 


In [2 A we have seen some scenarios where an STL specification is refined into an 
AvSTL one so that it more faithfully reflects the designer’s intention. The following 
two are prototypical: 


- (O-refinement) the refinement of Ojp (“eventually p, within /”) into Ojp (“even¬ 
tually p within /, but as soon as possible”); and 

- (□-refinement) the refinement of E\[ a ,b] T (“always p throughout [a, 6]”) into pA 
□[6,6+<5](^ (“always p throughout [a, b], and desirably also in [6, b + 5]”). 

The following soundness results guarantee validity of the use of these refinements in 
falsification problems. Completeness , in a suitable sense, holds too. 


Definition 2.8 A positive context is an AvSTL formula with a hole [ ] at a positive 
position. Formally, the set of positive contexts is defined as follows: 

C ::= [\\CWp\pWC\CAp\pAC\CUjp\pUjC\CUjp\pUrC 
\C1 Zi p \ plZi C \C1 Zi p \ plZi C where p is an AvSTL formula. 

For a positive context C and an AvSTL formula C[ip\ denotes the formula obtained 
by substitution of for the hole [ ] in C. 

Proposition 2.9 (soundness and completeness of O-refinement) Let C be a positive 
context. Then [cr, C[0[ a ^(^]] + > 0 implies [cr, > 0- Moreover, for any b' 

such that b' < b, [cr, C[0[ a??) /](^]] + > 0 implies [a, C[0[ a ^](^]] + >0 □ 

Proposition 2.10 (soundness and completeness of □-refinement) Let C be a positive 
context. Then [a, C[E\[ a ^p A □[ 5 ^ +< 5 ](^]] + > 0 implies [a, Cp[ a? 5 ](^]] + > 0. More- 

over, for any b’ > b, [<r, C\P[ a y^]\ + > 0 implies [a, £[□[„, 6 ]<p A □ [b)6+a ](/?]] + > 0. 

□ 
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2.6 Relationship to Previous Robustness Notions 

Our logic AvSTL captures space robustness p5| —the first robustness notion proposed 
for MITL/STL, see ^T]—because the averaging-free fragment of AvSTL coincides with 
STL and its space robust semantics, modulo the separation of positive and negative 
robustness (Rem. [24] ). 

The relationship to space-time robustness proposed 
in CD is interesting. In ED they combine time and 
space robustness in the following way: for each time 
t and each space robustness value c > 0, (right) time 
robustness relative to c, denoted by 6 + (<^, cr, t), is de¬ 
fined by “how long after time t the formula p maintains 
space robustness c.” See the figure on the right, where 
the space-time robustness 6+ (x > 0, cr, 0) is depicted. 

After all, space-time robustness in [12] is a function from c to 0+(<p,(r,t)\ and 
one would like some real number as its characteristic. A natural choice of such is the 
area surrounded by the graph of the function (the shaded area in the figure), and it is 
computed in the same way as Lebesgue integration , as the figure suggests. 

What corresponds in our AvSTL framework to this “area” characteristic value is the 
robustness of the formula □[ 0)OO )(^ > 0) computed by Riemann integration (here we 
have to ignore the normalizing factor —^ in Table [TJ). Therefore, very roughly speak¬ 
ing: our “averaged” robustness is a real-number characteristic value of the space-time 
robustness in fT2| ; and the correspondence is via the equivalence between Riemann and 
Lebesgue integration. 



3 A Sliding-Window Algorithm for AvSTL Robustness 

We shall present an algorithm for computing AvSTL robustness. It turns out that the 
presence of averaged modalities like Oj —with an apparent nonlocal nature—does not 
incur severe computational overhead, at least for formulas in which averaged modalities 
are not nested. The algorithm is an adaptation of the one in ED for STL robustness; 
the latter in turn relies on the sliding window minimum algorithm The algorithm’s 
time complexity is linear with respect to the number of timestamps in the input signal; 
it exhibits a practical speed, too, as we will see later in Q 

Firstly we fix the class of signals to be considered. 

Definition 3.1 (finitely piece wise-constant/piece wise-linear signal) A 1-dimensional 
signal a: M>o — > R is finitely piecewise-constant (FPC) if it arises from a finite se¬ 
quence [ (to^ r o), (ti, ?r), • • * 5 (£n? r n ) ] of timestamped values, via the correspondence 
a(t) = Vi (for t G [U, U+i)). Here 0 = to < • • • < t n , r* G R, and t n+ \ is deemed to 
be oc. 

Similarly, a 1-dimensional signal cr: M>o M is finitely piecewise-linear (FPL) 
if it is identified with a finite sequence [ (£o4o, qo), • • •, Qn) ] of timestamped 

values, via the correspondence a(t) = + qfit — ti) (for t G [U,U + 1)). Here ^ G R 

is the slope of a in the interval [U, ti+i). 
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The definitions obviously extend to many-dimensional signals a : M>o —>• M Var . 
We shall follow |TT[|T2) and measure an algorithm’s complexity in terms of the 
number of timestamps (n in the above); the latter is identified with the size of a signal. 


Definition 3.2 (robustness signal [p\ a ) Let cr : M>o —» M Var be a signal, and p be an 
AvSTL formula. The positive robustness signal of p over a is the signal [p] + : R>o —^ 
R de fined by: [p]^(t) = [cr*, (/?] + . Recall that cr*(£') = a(t + t') is the t-shift of cr 
(Def. 2.2). The negative robustness signal [p]~ is defined in the same way. 


An averaged modality turns a piecewise-constant signal into a piecewise-linear one. 


Lemma 3.3 1. Let p be an averaging-free AvSTL formula. If a signal a is finitely 
piecewise-constant (or piecewise-linear), then so is [p]+. 

2. Let p be an AvSTL formula without nested averaged modalities. If a signal a is 
finitely piecewise-constant, then [p]+ is finitely piecewise-linear. 

The above holds for the negative robustness signal [p\~, too. 

Proof. Straightforward by the induction on the construction of formulas. □ 

Our algorithm for computing AvSTL robustness [cr, p\ will be focused on: 1) a 
finitely piecewise-constant input signal cr; and 2) an AvSTL formula p where averaged 
modalities are not nested. In what follows, for presentation, we use the (non-averaged 
and averaged) eventually modalities <>/,<>/ in describing algorithms. Adaptation to 
other modalities is not hard; for complex formulas, we compute the robustness signal 
[p \ c 7 by induction on p. 


3.1 Donze et al.’s Algorithm for STL Robustness 

We start with reviewing the algorithm GU for STL robustness. Our algorithm for 
AvSTL robustness relies on it in two ways: 1) the procedures for averaged modali¬ 
ties like O i derive from those for non-averaged modalities in GD ; and 2) we use the 
algorithm in pT| itself for the non-averaged fragment of AvSTL. 


Remark 3.4 The algorithm in [11 ] computes the STL robustness [cr, pj for a finitely 
piecewise-Zme^r signal a. We need this feature e.g. for computi ng ro bustness of the for¬ 
mula □ (he avyBraking —>> O[ 0 ,io] airbag): note that, by Lem. 3.3 the robustness sig¬ 
nal for O[ 0 ,io] airbag is piecewise-linear even if the input signal is piecewise-constant. 


Consider computing the robustness signal assuming that the signal [<p\ a 

is already given|^The task calls for finding the supremum of [p] a {^) over r G [t + a, t + 
b\; and this must be done for each t. Naively doing so leads to quadratic complexity. 

Instead Donze et al. in GD employ a sliding window of size b — a and let it scan 
the signal [p\ CT from right to left. The scan happens once for all, hence achieving linear 
complexity. See Fig. [5j where we take [O[ 0) 5 j(x > 0)]+ as an example, and the blue 

5 In the rest of j ]3.l[ for simplicity of presentation, we assume that [p\ a is piecewise-constant. 

We note that the algorithm in 0 nevertheless extends to piecewise-linear [(p] a . 
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slide 

bwd. 


Fig. 5. A sliding window for computing [O[ 0j5 ] (x > 0)] the black line is the signal a 



u 0 2 4 6 8 10 

'(3,0.2) (4,0.3) (5,0.7) (8,0.9)] 
^dequeue (8,0.9) 



push (1, 0.6)J^ 



pop (3, 0.2) 
and (4,0.3) 

I- > 1 


r-u 




"0 2 4 6 8 10 

[(5,0.7)] 


Fig. 6. Use of stackqueues and their operations, in the sliding window algorithm 


shaded area designates the position of the sliding window. The window slides from 
[3, 8] to the closest position to the left where its left-endpoint hits a new timestamped 
value of [(p\ namely [1, 6]. 


It is enough to know the shape of the blue (par- push 

dequeue 

tial) signal in Fig. [5] at each position of the window. 

5 

4 

3 

2 

1 

-► 

The blue signal denotes the (black) signal cr’s local p°p 

a stackqueue 



supremum within the window; more precisely, it denotes the value of the signal 
[cr t , O[ 0 r ](x > 0)] + at time t + r, where r G [0, 5] and t is the leftmost position 
of the window. We can immediately read off the signal [O[o, 5 ] (x > 0)] + from the blue 
signals: the former is the latter’s value at the rightmost position of the window. 

The keys in the algorithms in |TI][2T) lie in: 


- use of the stackqueue data structure (depicted above on the right) for the purpose 
of representing the blue (partial) signal in Fig. [5} and 

- use of the operations push , pop and dequeue for updating the blue signal. 

See Fig.jbJ where each entry of a stackqueue is a timestamped value (£, r). We see that 
the slide of the window, from top-left to top-right in Fig.[6j is expressed by dequeue, pop 
and then push operations to stackqueues (in Fig.[6j from top-left to bottom-left, bottom- 
right and then top-right). Pseudocode for the algorithm is deferred to Appendix | A. 1| due 
to lack of space. 
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Algorithm 1 An algorithm for computing [0[ a ,&]<£>] <7 

Require: An FPC signal [<p] a given as a sequence (to, ro ),..., (t n , r n ) 

Ensure: The FPL signal p >[ a ,&]<£>]<7 

ttemp •— tn U, 

F := [ (ttemp + a, [v?]<r(£temp + «))]; > F is the FPC signal r i-» [a 4 , 0 [ajT ]<p] 

s := (b — a) • \p\a (ttemp + a); > The area of F 

C := [ (ttemp, s/(b - a), 0) ]; > The FPC signal [^[ O ,b]<p]o- 

while ttemp > 0 do 

told •— ttempj 

ttemp := the greatest t such that t < t Q id A (3t*. t + a = U V 3(t', F) G F. t + b = t')) ; 
Deq := { (t, r) G F | t > t te mp + fr}; F := F \ Deq; > Dequeue old elements in F 
Pop := {(t,r) G F | r < [(^]cr (ttemp + a)}; F := F \ Pop; > Pop small elements in F 
tpop := min{t | (t,r) G F or t = t te mp + 

F := [(ttemp + a, [v ^]<7 (ttemp + a))] U F > Push the left endpoint of the window to F 
rieft := min{r | (t,r) G F}; 
bright := max{r | (t,r) G F}; 

s := s — (told - ttemp) • rright - area(Pop) + (tp op - (t te m P + a)) • n e ft 
G I— {(ttemp, s/(6 tt), bright r| e ft)} U G 

end while 


3.2 An Algorithm for AvSTL Robustness 


It turns out that the last algorithm is readily applicable to computing AvSTL robust¬ 
ness. Consider an averaged-eventually formula <>[ a , b \(p as an example. What we have 
to compute is the size of the shaded areas in Fig. [5] (see also Fig. [I]); and the shape of 
the blue signals in Fig. [5] carry just enough information to do so. 

Pseudocode for the adaptation of the previous algorithm (in §3JJ) to 0[ a ,b] F i s found 
in Algorithm^ Its complexity is linear with respect to the number n of the timestamp 
values that represent the signal [tp\ a . 

An algorithm for the averaged-henceforth formula [□[ a ^](^] cr is similar. Extensions 
to averaged-until and averaged-release operators are possible, too; they use doubly- 
linked lists in place of stackqueues (see Appendix |A.2| ). Combining with the algorithm 
in { 3.1 to deal with non-averaged temporal operators, we have the following complexity 
result. The complexity is the same as for STL pT| . 


Theorem 3.5 Let Lp be an AvSTL formula in which averaged modalities are not nested. 
Let a be a finitely piecewise-constant signal. Then there exists an algorithm to compute 
[cr, p\ + with time-complexity in 0(d^\<p\\a\)for some constant d. 

The same is true for the negative robustness [cr, . □ 


Remark 3.6 The reason for our restriction to finitely piecewise-constant input signals 
is hinted in Rem. 3.4 let us further elaborate on it. There the averaged modality <>[ 0 , 10 ] 
turns a piecewise-constant signal into a piecewise-linear one (Lem. [33] ); and then the 
additional Boolean connectives and non-averaged modalities (outside O[ 0> ioj) are taken 
care of by the algorithm in 0 , one that is restricted to piecewise-linear input. 
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It is not methodologically hard to extend this workflow to piecewis ^-polynomial 
input signals (hence to nested averaged modalities as well). Such an extension however 
calls for computing local suprema of polynomials, as well as their intersections—tasks 
that are drastically easier with affine functions. We therefore expect the extension to 
piecewise-polynomial signals to be computationally much more expensive. 


4 Enhanced Falsification: Implementation and Experiments 


We claim that our logic AvSTL achieves a good balance 
between expressivity—that communicates a designer’s 
intention more faithfully to a falsification solver—and 
computational cost, thus contributing to the model- 
based development of cyber-physical systems. In this 
section we present our implementation that combines: 1) 
S-TaLiRo (6j, one of the state-of-art falsification solvers 
that relies on robust MTL semantics and stochastic opti¬ 
mization; and 2) the AvSTL evaluator , an implementa¬ 
tion of the algorithm in §3.2| Our experiments are on au¬ 
tomotive examples of falsification problems; the results 
indicate that (refinement of specifications by) AvSTL 
brings considerable performance improvement. 



Unsafe parametei 


Fig. 7. An overview of S-TaLiRo 
(from Q), with our modification 


Implementation S-TaLiRo [ 6 ] is “a Matlab toolbox that searches for trajectories of 
minimal robustness in Simulink/Stateflow” (lj. Recall the formalization of a falsifi¬ 
cation problem (£[!]). S-TaLiRo’s input is: 1) a model M that is a Simulink/Stateflow 
model; and 2) a specification p that is an STL formula. 

S-TaLiRo employs stochastic simulation in the following S-TaLiRo loop : 

1. Choose an input signal a\ n randomly. 

2. Compute the output signal M. (cr in ) with Simulink. 

3. Compute the robustness |.Ad(crj n ), p\. 

4. If the robustness is < 0 then return a- m as a critical path. Otherwise choose a new 
cTj n (hopefully with a smaller robustness) and go back to Step 2. 

Our modification of S-TaLiRo consists of: 1) changing the specification formalism from 
STL to AvSTL (with the hope that the robustness p\ + carries more informa¬ 

tion to be exploited in stochastic optimization); and 2) using, in Step 3 of the above 
loop, the AvSTL evaluator based on the sliding-window algorithm in Q See Fig. [7] 

Experiments As a model A4 we used the automatic transmission model from ED* 
where it is offered “as benchmarks for testing-based falsification” ED . The same model 
has been used in several works |14||19||24) . The model has two input ports (throttle 
and brake) and six output ports (the engine speed u, the vehicle speed v, and four 
mutually-exclusive Boolean ports gear x ,..., gear 4 for the current gear). Further illus¬ 
tration is in Appendix[C] As a specification p to falsify, we took six examples from ED 
sometimes with minor modifications. They constitute Problems 1-6 in Table [2] 
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Problem 1. Falsification means finding an input signal that keeps the engine speed uj below 2000 rpm, for T seconds. The 
bigger T is, the harder the problem is. We applied C>-refinement. 


Problem 1 

S' 

II 

to 

o 

T = 30 

o 

II 

S 

Specification 
to be falsified 

Succ. 

/100 

Iter. 

(Succ.) 

Time 

(Succ.) 

Succ. 

/100 

Iter. 

(Succ.) 

Time 

(Succ.) 

Succ. 

/100 

Iter. 

(Succ.) 

Time 

(Succ.) 

Ofo^T 1 ] (tu 2000) 

100 

128.8 

128.8 

20.2 

20.2 

81 

440.9 

309.7 

82.5 

59.0 

32 

834.3 

482.2 

162.9 

94.4 

O[ 0j t] (tu 2000) 

100 

123.9 

123.9 

22.9 

22.9 

98 

249.8 

234.5 

46.1 

43.4 

81 

539.6 

431.6 

110.9 

89.2 


Problem 2. Falsification means finding an input signal that keeps c o within a range of 3500-4500 rpm for T consecutive 
seconds, at a certain stage. We applied O-refinement. 


Problem 2 

i T = 10 

Specification 
to be falsified 

Succ. 

/100 

Iter. 

(Succ.) 

Time 

(Succ.) 

□O [0 ,T](w < 3500 Vw> 4500) 

45 

625.4 

167.7 

209.1 

56.1 

□^[o,t](w < 3500 V a; > 4500) 

74 

442.0 

245.9 

154.3 

86.6 


Problem 3. Falsification means finding an input signal that shifts the gear into the fourth within T seconds. The smaller T 
is, the harder the problem is. Here gear 4 is a propositional variable. We applied □-refinement. 


Problem 3 

1 T = 4 ; 

IO 

II 

S 

T = 5 

Specification 
to be falsified 

Succ. 

/20 

Iter. 

(Succ.) 

Time 

(Succ.) 

Succ. 

/20 

Iter. 

(Succ.) 

Time 

(Succ.) 

Succ. 

/20 

Iter. 

(Succ.) 

Time 

(Succ.) 

□[o,T]^gear 4 

0 

1000 

166.9 

11 

742.8 

532.3 

122.9 

87.5 

18 

449.0 

387.7 

71.8 

61.9 

Q[0,T]^gear 4 

AD[T,io]^gear 4 

17 

570.1 

494.2 

94.0 

81.8 

20 

250.5 

250.5 

40.3 

40.3 

20 

107.5 

107.5 

17.6 

17.6 


Problem 4. Falsification means finding input with which the gear never stays in the third consecutively for T seconds. The 
smaller T is, the harder the problem is. Here gear 3 is a propositional variable. We applied □-refinement. 


Problem 4 

1 T — 1 j 

T = 2 

Specification 

Succ. 

Iter. 

Time 

Succ. 

Iter. 

Time 

to be falsified 

/20 

(Succ.) 

(Succ.) 

/20 

(Succ.) 

(Succ.) 

O(D[ 0 ,T]gear 3 ) 

14 

556.1 

132.0 

20 

82.8 

20.6 



365.8 

87.1 


82.8 

20.6 

O(D[ 0 ,T]gear 3 A □ [T;10 ]gear 3 ) 

20 

105.1 

36.3 

20 

29.7 

10.2 



105.1 

36.3 

20 

29.7 

10.2 


Problem 5. Falsification means finding input that violates the following requirement: after the gear is shifted, it stays the 
same for T seconds, (the smaller T, the harder), gear-,^, . . . , gear 4 are propositional variables. We applied □-refinement. 


Problem 5 (e = 0.04) 

II 

o 

bo 

T = 1 

| T = 2 

Specification 

Succ. 

Iter. 

Time 

Succ. 

Iter. 

Time 

Succ. 

Iter. 

Time 

to be falsified 

/20 

(Succ.) 

(Succ.) 

/20 

(Succ.) 

(Succ.) 

/20 

(Succ.) 

(Succ.) 

Az = i ,..., 4 □ ((-gear. A O [ 0 , £ ]gear•) 

2 

972.5 

402.5 

19 

356.8 

155.6 

20 

27.4 

11.8 

( D [e,T+s]gear.)) 


724.5 

297.8 


322.9 

140.9 


27.4 

11.8 

Ai = i ,...,4 □ ((-gear. A O [ 0 , £ ]gear•) 

12 

561.1 

349.1 

20 

93.1 

57.8 

20 

42.7 

26.9 

“A (□ [£)T +£]gear. A □ [T+£; 5 ] gear.)) 


268.5 

167.3 


93.1 

57.8 


42.7 

26.9 


Problem 6. Falsification means finding an input signal that steers the vehicle speed v over 85 kph within T seconds, while 
keeping the engine speed uj below 4500 rpm. The smaller T is, the harder the problem is. We applied □-refinement. 


Problem 6 

i T = 10 

I T = 12 

Specification 

Succ. 

Iter. 

Time 

Succ. 

Iter. 

Time 

to be falsified 

/20 

(Succ.) 

(Succ.) 

/20 

(Succ.) 

(Succ.) 

□ [0 ,t](v < 85) V O (co > 4500) 

12 

714.9 

141.4 

17 

374.5 

72.2 



524.9 

108.1 


264.1 

51.2 

(EI[o,t]( v < 85) A □[t,20]( v < 85)) 

12 

766.7 

149.0 

20 

423.6 

85.7 

VO(cu > 4500) 


611.2 

118.9 


423.6 

85.7 


Table 2. Experiment results. Time is in seconds. The “Succ” columns show how many trials 
succeeded among the designated number of trials; the “Iter.” columns show the average number of 
iterations of the S-TaLiRo loop, executed in each trial (max. 1000); and the “Time” columns show 
the average time that each trial took. For the last two we also show the average over successful 
trials. 
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Our goal is to examine the effect of our modification to S-TaLiRo. For the model 
M (that is fixed) and each of the six specifications cp, experiments are done with: 


- M and the original STL formula p, as a control experiment; and 

- M and the AvSTL formula p' that is obtained from p as a refinement. The latter 


specifically involves O -refinement and U-refinement described in £2.5 


Faster, or more frequent, falsification in the latter setting witnesses effectiveness of our 
AvSTL approach. We note that falsifying p' indeed means falsifying p, because of the 
soundness of the refinement (Prop. |2U| and |2.10| ). 

A single falsification trial consists of at most 1000 iterations of the S-TaLiRo loop. 
For each specification p (i.e. for each problem in Table [2]) we made 20-100 falsification 
trials, sometimes with different parameter values T. We made multiple trials because of 
the stochastic nature of S-TaLiRo. 


Experiment Results and Discussion The experiment results are in Table [2] We used 
Matlab R2014b and S-TaLiRo ver.1.6 beta on ThinkPad T530 with Intel Core i7-3520M 
2.90GHz CPU with 3.7GB memory. The OS is Ubuntul4.04 LTS (64-bit). 

Notable performance improvement is observed in Problems 3-5, especially in their 
harder instances. For example, our AvSTL enrichment made 17 out of 20 trials succeed 
in Problem 3 (T = 4), while no trials succeeded with the original STL specification. A 
similar extreme performance gap is observed also in Problem 5 (T = 0.8). 

Such performance improvement in Problems 3-5 is not surprising. The specifica¬ 
tions for these problems are concerned solely with the propositional variables gear • 
(cf. Rem. |2.7| ); and the space robustness semantics for STL assigns to these specifica¬ 
tions only 0 or 1 (but no values in-between) as their truth values. We can imagine such 
“discrete” robustness values give few clues to stochastic optimization algorithms. 

Both of O- and D-refinement in £ 2.5 turn out to be helpful. The latter’s effectiveness 
is observed in Problems 3-5; the former improves a success rate from 32/100 to 81/100 
in Problem 1 (T = 40). 

Overall, the experiment results seem to support our claim that the complexity of 
(computing robustness values in) AvSTL is tractable. There is no big difference in the 
time each iteration takes, between the STL case and the AvSTL case. 


5 Conclusions and Future Work 

We introduced AvSTL, an extension of STL with averaged temporal operators. It ad¬ 
equately captures both space and time robustness; and we presented an algorithm for 
computing robustness that is linear-time with respect to the “size” of an input signal. Its 
use in falsification of CPS is demonstrated by our prototype that modifies S-TaLiRo. 

As future work, we wish to compare our averaged temporal operators with other 
quantitative temporal operators, among which are the discounting ones (4|[5). The latter 
are closely related to mean-payoff conditions (9p3) as well as to energy constraints 0 
|8), all of which are studied principally in the context of automata theory. 

Application of AvSTL to problems other than falsification is another important di¬ 
rection. Among them is parameter synthesis , another task that S-TaLiRo is capable of. 
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We are now looking at application to sequence classification (see e.g. p0|), too, whose 

significant role in model-based development of CPS is widely acknowledged. 
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A Algorithms 

A.l An STL Algorithm for Computing from 1111 


In Algorithm's pseudocode for computing the signal [0^ a ^ b \(p\ a , given the signal [(p] a . 
Its intuitions are found in §3.1| 

Algorithm 2 An algorithm for computing [O [a,b\T\a 

Require: A FPC signal [ip] a given as a sequence (to, ro (t n , r n ) 

Ensure: The FPC signal [O [a,b\^]a 

ttemp •— t n CL, 

F := _ (ttemp + a, \(p\a (ttemp + a)) ]; > F is the FPC signal r i->> [cr ttemp , 0[ a ,r]^j 

G := [ (ttemp, [^]cr(ttemp + a)) ]; > G is the FPC signal 

while ttemp > 0 do 

ttemp := the greatest t such that t < ttemp A (3t*. t + a — U V 3(t / , r 7 ) G F. t + b = t 7 )); 
F := F \ {(t, r) | t > t te m P + 6}; > Dequeue old elements in F 

F := F \ {(t, r) | r < (ttemp + a)}; > Pop elements in F that are too small 

F := [ (ttemp + a, [y?] a (ttemp + fl))]uf; > Push the left endpoint of the window to F 
r right := max{r | (t,r) G F}; 

G {(ttemp, r right) } U G\ > Add a timestamped value 

end while 


A.2 An Algorithm for Computing [ip 1 U[ a ^ ^ 2 ]^ 


Algorithm |T] is an algorithm for computing [0[ a ^ p\ a that is linear-time with respect to 
the “size” of [(p\ a - We can compute [piU[ a ^ P2\a in linear-time, similarly, by employ¬ 
ing a sliding-window that stands for a piecewise constant function 

F : [a, b] —> M 

r 1 — > [cr*, v>i W [a , T ] 9J2] • 

The sliding of the window corresponds to the change of the value of t. For efficient 
implementation of such sliding we rely on the following proposition. It is derived es¬ 
sentially from the equivalence M[a,r] F2 — ^[a,r] ( A2 A □[ 0 ,a]<£i W<^2» an equivalence 
also used in GD 


Proposition A.l Assume that the signal [□[ 0 , a ]^i U P 2 ]a A constant in the interval 
[0, S). Then we have 


[<7, U[a, T +S] V 2 I = ( [<A <Pl U[a,r} ¥> 2 ] U [<7, ) l"l [<7, □ [o,a]V>l W ¥> 2 ] • 

( 1 ) 
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Proof. 

(RHS) 

= (k 5 , <Pi U[a,T] V> 2 ] n Her, □ [0>a] (^i U <p 2 f) u (Her, 0 [aia+ 5 ]^ 2 ] n Her, W ¥> 2 ]) 

by distributing n over U 

= ([A <Pl W[a,r] ^ 2 ] n Her, □ [ 0 , a ]</?l W ip 2 f) U [(7, l/?i W[ a , a+( 5] <£ 2 ] 

by the above equivalence cpx Uy a ^ T \ ip 2 = 

= ((Ik 4 , <>[a,T]W2\ n Her 5 , □[o,a]¥’l U ^ 2 f) n |[cr, □[ 0 , a ]^l U <p 2 ]) U [( 7 , l/?i W[ a>a+( 5] <^ 2 ] 

by the same equivalence 

= ((Ik, ^[a+<5,r+<5]¥>2]] n [cr, □ [o+<5,a+<$]‘/ 3 l U ip 2 \) n [<7, □[o,a]¥ , l U ^ 2 ]) U [(7, y?i W [a ,a+<5] ^ 2 ] 
= ([cr, Ofa+i.r+i]^] n [cr, □ [0)O+(5 ]^i U <^ 2 ]) U [cr, <p x W [a)0+(5] </? 2 J 

by the assumption that [D^^ipi U ipf\a is constant in [0, (5) 

= [cr, px ^[a+(5,r+(5] ^ 2 ] U [a, px U [a , a + S ] ^ 2 ] again by the same equivalence 
= (LHS) . □ 

Roughly speaking, the equality |lj) shows how the signal after sliding ([cr, cpx I4[ a , r +i 5] <£ 2 ] 
on the left-hand side) can be computed from the signal before sliding (the first term 
[<r^, ifx U[a,r} ¥ 2 } on the right-hand side). 

In Algorithm [5] pseudocode is found for computing [<px M[ a ,b\ ¥ 2 ] a- Compared to 
Algorithm [I] a principal addition is truncation of big elements (Trunc in Algorithm [3j 
it corresponds to taking n in ([!])). To realize such a truncation operation efficiently, we 
use a doubly-linked list as a data structure—in place of a stackqueue—so that it allows 
push and pop from each side. 

It is not hard to see that the time-complexity of Algorithm[3]is linear in n + m. Note 
also that the signal [□[ 0 , a ] px U ( P 2 \a (input to Algorithm^ can be computed efficiently, 
from the signals [px\a and [(^ 2 ]< 7 , thanks to the algorithm presented in ED 

B Omitted Proofs 
B.l Proof of Lem. 12.51 

Proof We only prove the first inequality; the others are similar. 

[CT, W [to ,t'] <P2] = Ure[io,t'](k T > <Pl] n \~\ T 'e[0,T}l a f Wl) 

> ¥>i]nn T r e[ o, T ]k T ', v»al) 

= k, y>i W [to ,t] ^2] 


□ 


B.2 Proof of Lem. 12.61 

Proof We only show the proof of the first equality; the others are similar. 
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Algorithm 3 An algorithm for computing [(pi ( f 2 \a 

Require: An FPC signal [(p 2 ]a given as a sequence (to,ro),..., (t n ,r n ) and a signal g 
[□[0,a]^l U ^ 2 ]ct as (u 0 ,Uq), • • • , (Um,Vm) 

Ensure: The FPL signal [ipiU[ a ^ ^ 2 ]<? 
ttemp •— max{t n tt, Urn\■> 
rieft •— [^ 2 ] a (ttemp T ft) FI ^(ttemp)? 

F :m [ (ttemp + a, rieft) ]; > F is the FPC signal r [ a t , U [a>r] (£ 2 J 

s := (8 — a)ri e ft; > The area of F 

G := [ (ttemp, s/(& - a), 0) ]; > G is the FPC signal [y?i W[ 0jb ] (^ 2 ]ct 

while ttemp > 0 do 

told •— ttempj 

ttemp := the greatest t such that 

t < toid A (3U. t + am U V □(t / , F) £ F t + b = t' V t = zz*); 

Deq := { (t, r) £ F | t > t tem p + 6}; > Dequeue old elements in F 

F := F \ Deq; 

Pop := {(t,r) £ F | r < [(^ 2 ]ex (ttemp + a)}; > Pop small elements in F 

F := F \ Pop; 

tPop := min{t | (t,r) £ F or t = t tem p + fr}; 

F := [(ttemp + a, rieft)] U F; > Push the left endpoint of the window to F 

^Deq := max{r | (t, r) £ F}; 
rpush := min{r | (t, r) £ F}; 

S •— S (told ttemp)rDeq area(Pop) (tpop ttemp)rp us hj 

Trunc := {(t, r) £ F | r > g(t te mp)}; > Truncate big elements in F 

F := F\ Trunc; 

tTrunc := min{t | (t,r) £ Trunc or t = t te mp + b}\ 

F F U [(tTrunc, ^(ttemp))] j 
rieft := min{r | (t, r) £ F}; 
r right := max{r | (t,r) £ F}; 
s := s- area(Trunc) + ((t te mp + b) - t T runc)r r ight; 

G {(ttemp, sj (b ft), r r ight r| e ft)} U G 
end while 
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We first show (LHS) > (RHS). 

(RHS) = lim -2— f [cr, <pi W[ to , T ] <f 2 j + dr 
t^oot-toJto 

1 

< lim 7 —t- / [o', <pi W [t0i t] ^ 2 ] + rfr 

t^oot-t 0 J to 

= lim [(7, <piW[t 0 ,i] ^2] + 

t—>■ OO 

< [(7, </?i W [t0)OO ] <^ 2 ] + 

= (LHS) 


by Lem. 


2.5 


Now we show the equality (LHS) = (RHS). Let 


fit) = -2— [ [a, U [t0:T ] tp 2 j + dT . 

t — to Jto 


By Lem. 2.5 [cr, <pi U[t 0 , T ] ¥ 2 ^ is monotonically increasing with respect to r, hence 


f(t) is also monotonically increasing with respect to t because /(t) is an average of 
[cr, cpi U [ t0)T ] ^ 2 ] + over to < r < t. If /(t) is not bounded, then obviously (LHS) < 
(RHS). Otherwise, if /(t) is bounded, the increasing function f(t) converges to some 
a G M>o as t -G oc. By (LHS) > (RHS) (that we have already shown), a + s = (LHS) 
for some £ G M>o- Here the following statement holds. 


Va' < a + 5. 3t' G [t 0 , oo). [< cr 1 , (p 2 j n PI [cr T , <pi] > a' 

rG[0,t'] 


( 2 ) 


Hence, for such a' and t', 


(RHS) = 


> 


1 

lim -—— / [a, <pi W [to>T ] <£ 2 ] + ciT 
— t() J to 

&*-*(/ ^VlU [ t 0 ,r ] ‘P 2 i + dT + I [cr, if! W[( 0)T] ¥> 2 ] + cZt) 

1 

l™ J [cr, </>i W [t0iT] ^ 2 ] + dr 

by @ 


f-C 

> lim-a' 

t >-oo t — to 

= a' . 


Therefore we have 


Vc/ < a + 6. (RHS) = a A (RHS) > a' 
and hence 6 = 0. Consequently (LHS) = (RHS). 


□ 


B.3 Proof of Prop.[2^1and|2H0| 

We start with the following lemmas. 
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Lemma B.l (logical monotonicity) Let C be a positive context (Def. \2.8\ . We have 

Vcr. [cr, (^] + < [cr, M] + implies Vcr. [cr, CM] + < [cr, C [<p f ] ] + ; and 
Vcr. [cr, < [cr, p'\~ implies Vcr. [cr, CM]- < [cr, C[M]F • 

Proof. By induction on the construction of the positive context C. 

Lemma B.2 Let ip, p' be AvSTL formulas and C he a positive context. Then 


Vct.Jct, > 0 => Vct.Jct, y'} + > 0 


implies 


Vcr.[<T, C[p]\ + > 0 => Vcr.Jcr, CYp'}\ + > 0 

Proof. Straightforward by induction on the construction of C. 

Now we prove Prop.|2.9[ soundness and completeness of O-refinement. 


Proof. (Of Prop. 2.9) Obviously we have [cr, 0[ a ,6](^] + < [cr, O[ a ,6]^] + ; therefore by 
Lem. I o we have 

[cr, C[^ [a)b ] 9 ?]] + >0 => [cr, C[0 [aM v]l + > 0 . 

To prove the opposite direction, by Lem. |B.2[ it suffices to show the following. 

k <>[a,!>']<p] + > 0 => [cr, 0 [o , 6 ]p] + > 0 for any b' < b . 

Assume [cr, > 0. Then 


Ik O 


a,by 


k 0r a T ] 


by the definition of O 


= f— [ \c 

b-a J a 

= f— ^ J [a, dr + [cr, ^[ a ,r]^] + dr 

> --^ J 0 dr + J [cr, 0[ a>b /]<^]] + d2j by Prop. 2A and b' < b 


b-b' 
b — a 


k ^[a,b']<^] + > 0 . 


Then we prove Prop. 2.10 soundness and completeness of m-refinement. 

Proof. (Of Prop. |2.10| ) From Lem. |B.1| 

k c[n [atb] ip a □ [6)6+b] (/5]] + >o => k c P[a,6]^]] + > o 

is obvious. We want to show the other direction. From Lem. IB.21 it suffices to show 


k D [a,6']^] + > 0 


k n [a,b\V A n [6,6+<5]^l > 0 
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for any b' > b. Here A □ [&,*>/]<£, hence the above implication holds 

if so does the following. 

[<7, □ [b>i /]V?]] + >0 =>■ Her, □ [b>b+(5] ^] + > 0 . 

In the case of b' > b + S, it obviously holds. Otherwise, in the case of b < b' < b + 5, 
we proceed as follows. Assume [cr, □ [6,6']^] + > 0. Then 


[cr, n [bih + S ]Vl 

rb+5 


^ ro-\-o 

= s J b ^ 7 ’ D[6 ’ t] ^ + dT 

2 / rb' rb-\-S 

= S\ J n [ b - T ]^ + dT + J, I' 7 ’ D [M^1 + dT 
>\[f b [*, □ m ']¥>] + dT + £ +S 0 dij 


by the definition of □ 


b'-b 


[(j, n [hihf] 


> o. 


by Prop. 2A and b < b' < b + S 

□ 


B.4 Proof of Thm. 1331 


Proof. We obtain the robustness value [cr, p\ + via the robustness signals [0] + for sub¬ 
formulas 0 of ip. This is done by induction on 0. 

Before we hit an averaged modality we use the algorithm from 0 (described 
in £3.1). Note that all the signals that we deal with are finitely piecewise-constant; 
by analyzing 0 Thm. 3], it is easy to see that the computation of [-0]+ has time- 
complexity in 0(|0||cr|). Furthermore, the size of [0] + (in the sense of Def. |Z2|) is in 


0 (\*\). 

Once we hit an averaged modality (like Oj or Ui), it is taken care of by Algo¬ 
rithm [T] (for O/), Algorithm [5] (for Ui) and their adaptations (for □/ and Hi). The 
time-complexity of the computation is 0(|0| |cr|), and the resulting signal [0] + has the 
size in 0(|cr|). The difference, however, is that the robustness signal [0] + is no longer 
finitely piecewise-constant but is piecewise-linear. 

After that we again apply the algorithm from 0 (see §3.1| ), but now to the input 
signal that is finitely piecewise-Zmear. In this case, the time-complexity as well as the 
size of [0] + is shown to be in 0(d)^ 1|0| |cr|) |[ll, Thm. 3]. The extra factor d)^ is due to 
the extra timestamped values that arise from two sloped lines crossing each other. □ 


C The Automatic Transmission Model [IT) 

The model is given by a Simulink diagram in Fig. [TOj therein the block for the digital 
controller of the gear is realized as a Stateflow diagram in Fig. [5] An example of the 
model’s trajectories is in Fig. [9] 
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Fig. 8. The automatic transmission model Fig. 9. The automatic transmission model 
from (n): the Stateflow diagram for the dig- from dzJ : a trajectory example 
ital controller of the gear 


Modeling an Automatic Transmission Controller 



Fig. 10. The automatic transmission model from 02): the Simulink diagram 






































































